Related topics

Amazon button leaked user traffic

Shopping button let sneaks snoop

Common Topics

Amazon is the latest company to come under fire for misusing its browser extension bar, with security researcher Krzysztof Kotowicz accusing the company of invading privacy via its 1Button extension for Chrome.

“[The] first file defines what HTTPS sites can be inspected. The second file defines URL patterns to watch for, and XPath expressions to extract content being reported back to Alexa. The files are fetched from these URLs:

http://www.amazon.com/gp/bit/toolbar/3.0/toolbar/httpsdatalist.dat

http://www.amazon.com/gp/bit/toolbar/3.0/toolbar/search_conf.js

“Yes. The configuration for reporting extremely private data is sent over plaintext HTTP. WTF, Amazon?”

He posted exploit code at github, an action was sufficient to persuade Amazon to repair one flaw: data is now sent over HTTPS instead of HTTP.

Check your permissions: why would you click 'yes'?

However, extent of the data captured by the button suggests it's far more invasive than is necessary for a shopping button. ®